Originally Published: Sunday, 1 October 2000 Author: Mike Baker
Published to: interact_articles_irc_recap/IRC Recap Page: 1/1 - [Printable]

Best of IRC for Monday, October 2nd!

Welcome back! In this edition we'll be continuing on with more of the frequently asked questions from #Linuxhelp. If you'll recall in the last edition we talked about modems. Now it's time to talk about networking and sharing that connection!

   Page 1 of 1  

Welcome back! In this edition we'll be continuing on with more of the more frequently asked questions from #Linuxhelp. If you'll recall in the last edition we talked about modems; now it's time to talk about networking and sharing that connection.

IP Masquerade

How can I share my Internet connection between multiple computers?

What you need is something called IP Masquerade (IP Masq). IP Masq allows you to transparently share your Internet connection with other computers on a network. Unlike a proxy, your computers will believe they're connected directly to the Internet. IP Masq is essentially a simplified form of Network Address Translation. Your Linux machine will build a table of what computer wants to connect to where, then when the reply comes back all that has to be done is to check the table to see who requested it in the first place. IP Masq also acts as a primitive firewall! If a connection comes in that IP Masq doesn't find in its table, it will assume the packet is for itself rather than letting it reach your network. While not exactly a high form of security in itself, it means that you only have to deal with protecting one machine.

How do I use IP Masq?

Before we get into the answer to that question, I'd like to set things up a bit with a quick crash course in networking so you'll understand what's going on.

The Internet is formed by groups of computers called subnets. Each subnet is connected by a gateway. The gateway's purpose is to forward information from one subnet to another using a routing table which tells it how to how to reach various hosts. When you bring up a web browser and connect to http://Linux.com/, you're not talking directly to Linux.com as such, instead your computer is following its routing table to reach your gateway, and from that gateway it travels through several subnets until it reaches its final destination.

Every computer on the network has three basic settings: the IP Address (commonly called IP, which actually means Internet Protocol), the Netmask and the Default Gateway. The IP Address and Netmask are used together to determine how many computers are within your subnet that you can talk to directly. Think of the Netmask as being the constant parts of the IP Address (in binary), for example an IP Address of 10.0.0.1 and a netmask of 255.255.255.0 means that 10.0.0.x is constant and x is variable, meaning my subnet is from 10.0.0.0 to 10.0.0.255. I should point out that the lowest and the highest address, in this case 10.0.0.0 and 10.0.0.255, are reserved.

Okay, so we still have 10.0.0.1 to 10.0.0.254 to play with, what if we want to get at 1.2.3.4?

This is where the Gateway comes in. It's basically a way of saying if all else fails as this computer to send our information to another subnet and let them deal with it. That wasn't so hard was it? The only thing left to mention now is notation. To specify my subnet ,we'll use the lowest address in our subnet 10.0.0.0 and combine it with our net mask forming an address like this: 10.0.0.0/255.255.255.0. Since that's a bit long, we can use a shortcut, and just say 10.0.0.0/24. The /24 comes from the fact that our subnet is 11111111 11111111 11111111 00000000 in binary, or 24 "1"'s.

Now, getting back to the topic of IP Masq, suppose 10.0.0.1 has a modem we wish to share:

The first thing we'll do is to go into the network setting on all the other computers and set them to use 10.0.0.1 as a Gateway, so if they try to access anything outside the subnet they'll be using 10.0.0.1 to do it. The next thing we have to do is tell 10.0.0.1 about this, and that it should should act like a Gateway and send these requests over the Internet. The trick is that it'll be using IP Masq to do so so all requests will be modified to look as though they came from one machine. The way we setup IP Masq on 10.0.0.1 is as follows:

<info> [ipmasq] assuming a 10.0.0.x network, ipchains -P forward DENY ; ipchains -A forward -s 10.0.0.0/24 -j MASQ ; echo 1 > /proc/sys/net/ipv4/ip_forward

Now for some explanation, there's three commands in that above line:

ipchains -P forward DENY ; Set the default forwarding rule so that nobody can access your network
ipchains -A forward -s 10.0.0.0/24 -j MASQ ; Allow 10.0.0.x to use IP Masq
echo 1 > /proc/sys/net/ipv4/ip_forward ; Allow this computer to forward connections.
It's a good idea to put these in a script somewhere as you'll need to do this on boot up, for most people you can add these commands to the end of /etc/rc.d/rc.local or /etc/init.d/bootmisc.sh so they get run on startup. Now whenever 10.0.0.1 is connected to the Internet 10.0.0.2 and all the other computers the subnet will be connected as well.

If it all sounds too simple to be true that's because it actually is simple, after you understand what it means.

So with IP Masq they can still reach my Linux machine, how do I keep it secure?

First you need to know what's running on your machine that's accepting connections in which someone might get in. The way to do that is to run netstat -l and look at which services are listening, or my favorite, lsof -i | grep LISTEN (if you don't have lsof you find it here). I prefer lsof because it will show me which programs have which ports open, not just which ports are open. Now, with that list of ports, you have to decide if you want to firewall that port or just not run that program. If for example you want to run an ftp server on that machine for your local network and don't want anyone from the Internet to get at it you'd firewall that port.

For some basic security you can firewall the service ports, these are the ports 0-1024 that services like ftp,telnet,finger and www run on and generally there shouldn't be any need for anyone to be accessing those ports.

ipchains -A input -d 0.0.0.0/0 0:1024 -j REJECT
For more information about the ipchains command try man ipchains.




   Page 1 of 1